Last updated: JULY 17, 2025

1. Identification of the Data Controller. Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter, “GDPR”), as well as Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”), The interested party is informed that the person responsible for the processing of the personal data collected through this website is:

BRANDLEX GROUP, S.L. // Tax ID: B75931832 // Registered office: Plaza de San Cristóbal, 14, 03002, Alicante, Spain // Contact Email: info@brand-lex.com // Contact telephone number: +34 744 74 34 62

BRANDLEX GROUP S.L. acts as the data controller in relation to the personal data processed within the framework of its business, technological and consulting activity, including all the processes associated with the provision of its digital, legal and training services, in strict compliance with the data protection regulations in force in the European Union.

2. Definitions and applicable regulatory framework. For the purposes of this Privacy Policy, the following definitions shall apply.

a) “Personal data”: any information about an identified or identifiable natural person, in accordance with Article 4.1 of the GDPR. b) “Data subject” or “interested party”: the natural person whose personal data are the subject of processing. c) “Processing”: any operation or set of operations carried out on personal data, such as collection, storage, use, transmission or deletion. d) “Data controller” means the legal person who determines the purposes and means of the processing. e) “Data processor”: the natural or legal person who processes the personal data on behalf of the controller. f) “International data transfer”: the sending of personal data to a third country or international organisation, outside the European Economic Area.

The processing of personal data carried out by BRANDLEX GROUP, S.L. is governed by the following legal instruments: Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR); Organic Law 3/2018, of 5 December (LOPDGDD); Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE); The guidelines, recommendations and opinions of the European Data Protection Board (EDPB); In the case of transfers, the legal guarantee instruments recognised by the European Commission, such as Standard Contractual Clauses (SCCs).

3. Principles Applicable to the Processing of Personal Data. The processing of personal data carried out by BRANDLEX GROUP, S.L. is strictly in accordance with the principles established in Article 5 of Regulation (EU) 2016/679 (GDPR), which govern all actions of the entity in terms of data protection. Specifically:

a) Lawfulness, loyalty and transparency: the data will be processed in a lawful, loyal and transparent manner in relation to the interested party, guaranteeing compliance with the legal conditions for each legitimating basis and the provision of clear, accessible and sufficient information.

b) Purpose limitation: the data will be collected for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with those purposes.

c) Data minimisation: only personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed will be processed.

d) Accuracy: the personal data will be accurate and, if necessary, updated. All reasonable steps shall be taken to ensure that inaccurate data are deleted or rectified without delay.

e) Limitation of the storage period: the data will be kept only for the time necessary for the purposes of the processing, without prejudice to their blocking when there are legal retention obligations.

f) Integrity and confidentiality: the data will be processed in a way that ensures adequate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

g) Proactive responsibility (accountability): BRANDLEX GROUP, S.L. will be responsible for complying with the above principles and for being able to demonstrate such compliance through appropriate technical, organisational and documentary measures.

4. Categories of Personal Data Processed. BRANDLEX GROUP, S.L. processes only personal data of a general nature, avoiding the collection or processing of special categories of data in accordance with article 9 of the GDPR, unless expressly authorised or required by law. The categories of data that may be subject to processing, depending on the collection channel and the relationship maintained with the data subject, are the following:

a) Identification data: name, surname, country of residence, NIF/NIE (when necessary for the issuance of invoices or contractual obligations).

b) Contact details: professional or personal email address, telephone number, postal address (if applicable).

c) Professional data: position, sector, company or institution of origin, type of client (individual or corporate), areas of legal or technological interest.

d) Browsing and technical data: IP address, cookie or session identifiers, browser used, operating system, approximate geographical location, browsing behaviour (pages visited, time spent, clicks, actions taken), provided that the data subject has accepted the corresponding cookies.

e) Electronic communications data: email opening record, interaction with emailing campaigns, subscription preferences, history of participation in forms or webinars.

f) Economic, contractual and transactional data: only within the framework of contractual or pre-contractual relationships, including invoicing data, bank account and agreed conditions.

Under no circumstances are specially protected data such as ethnic origin, political opinions, religious convictions, genetic data, data relating to health, sexual orientation or trade union membership systematically processed.

5. Purposes of processing and legal basis. BRANDLEX GROUP, S.L. processes the personal data of the interested parties exclusively for specific, explicit and legitimate purposes, in accordance with article 5.1.b of the GDPR. Each processing is based on a valid legal basis in accordance with Article 6 of the Regulation, which is detailed below:

a) Management of contact forms, requests for information or exploratory meetings. Purpose: to respond to requests, issue responses, coordinate meetings and maintain initial communications. Legal basis: legitimate interest of the controller (art. 6.1.f GDPR), consisting of proactively responding to persons interested in our services or solutions.

b) Provision of services contracted by clients, including legal, technological and training assistance. Purpose: execution of agreed services, sending of contractual documentation, after-sales service. Legal basis: execution of contract or application of pre-contractual measures (art. 6.1.b GDPR).

c) Sending newsletters, informative content, invitations to events or its own promotional communications. Purpose: to keep informed the interested parties who have voluntarily requested their inclusion in our digital communications. Legal basis: express consent of the data subject (art. 6.1.a GDPR), obtained through electronic forms or clear acceptance boxes.

d) Statistical analysis and improvement of the browsing experience through cookies and similar technologies. Purpose: to obtain metrics on user behavior on the website, in order to optimize its operation and content. Legal basis: informed consent given through the cookie management panel, in compliance with Article 5.3 of the ePrivacy Directive and Article 6.1.a of the GDPR.

e) Compliance with legal obligations in tax, accounting, data protection, money laundering or other regulatory requirements. Purpose: to meet legal and regulatory requirements imposed by competent authorities. Legal basis: compliance with the legal obligation applicable to the controller (art. 6.1.c GDPR).

f) Internal management of relationships with suppliers, collaborators or strategic partners. Purpose: to establish and execute contractual agreements, coordinate joint actions, issue payments and reports. Legal basis: execution of the contract (art. 6.1.b) and legitimate interest (art. 6.1.f), when there is no direct contractual relationship.

g) Prevention, detection and response to security incidents, improper access, fraudulent use of the website or other unlawful conduct. Purpose: to ensure the integrity of systems, prevent intrusions and protect data from unauthorised access. Legal basis: legitimate interest of the controller (art. 6.1.f GDPR), in guaranteeing the cybersecurity of its digital environments.

In the event that different or incompatible processing is foreseen or not contemplated in this clause, the prior and specific consent of the interested party will be requested, together with the appropriate extended information.

6. Data retention periods. BRANDLEX GROUP, S.L. will keep the personal data of the interested parties only for the time necessary to comply with the purposes for which they were collected, or for as long as there is a legal basis that justifies their processing. In compliance with the principle of limitation of the retention period (Art. 5(1)(e) GDPR), the following criteria apply:

a) Data obtained through contact forms, subscription or request for meetings: They will be kept for a maximum period of 12 months from the last interaction, unless they result in a subsequent contractual relationship, in which case the corresponding regime will apply to the client.

b) Data of customers and beneficiaries of contracted services: They will be kept for the duration of the contract and, after its termination, for an additional period of 6 years, for compliance with legal obligations in tax, commercial and fraud prevention or litigation matters.

c) Data relating to subscriptions to newsletters or informative communications: These will be kept until the data subject withdraws their consent, requests unsubscribe, or 2 years have elapsed without active interaction on their part (for example, without opening emails).

d) Data processed based on cookies and similar technologies: They will be kept for the periods indicated in the Cookies Policy, depending on their nature (session, persistent, analytical, etc.).

e) Data of suppliers, collaborators or strategic allies: They will be kept for as long as the contractual or collaboration relationship is in force, and for an additional period of 5 years, unless the applicable regulations require another period.

f) Data associated with security breaches, incidents or internal investigations: They will be kept for the time necessary to determine responsibilities and execute corrective actions, with a maximum of 3 years, unless they result in judicial or administrative proceedings, in which case they will be kept until their final resolution.

Once the established periods have elapsed, the data will be securely deleted or, where appropriate, blocked in accordance with article 32 of the LOPDGDD, when there is an additional legal retention obligation. The blocking will imply the total restriction of access, except for compliance with legal, judicial or competent public authority requirements.

7. Data Recipients and Processors. BRANDLEX GROUP, S.L. does not communicate or transfer personal data to third parties, except in cases where:

• The communication is necessary for the provision of a service contracted by the interested party,
• There is a valid legal obligation or administrative or judicial requirement, or
• The interested party has given their express consent to do so.

However, for the execution of certain auxiliary, administrative, technological or operational support functions, BRANDLEX GROUP, S.L. may allow access to personal data to external providers acting as data processors, under the terms defined by Article 28 of the GDPR. In all cases:

Written  contracts are signed for the processing of the data, which include, among other obligations: documented instructions, technical and organisational security measures, confidentiality commitment, non-subcontracting without prior authorisation, return or destruction of data at the end of the service.

It is verified that such providers provide sufficient guarantees to implement appropriate measures to ensure processing in accordance with the GDPR.

Among the recipients or processors may include, by way of example, but not limited to:

• Cloud infrastructure providers and technology services, such as email servers, storage, CRM, marketing automation, or web analytics.
• Email marketing and subscription management platforms.
• External advisors in legal, accounting or tax matters, when required by legal or contractual obligations.
• Entities of the BRANDLEX group, such as Gualet SpA (BRANDLEX Chile), within the framework of internal operating relations, with the guarantees provided for in Clause 8 (international transfers).

Under no circumstances is there any sale, rental or free or remunerated transfer of personal data to third parties unrelated to the activity of BRANDLEX GROUP, S.L.

8. International Data Transfers. BRANDLEX GROUP, S.L. expressly informs that, within the framework of its activities, it may carry out international transfers of personal data to countries or organisations located outside the European Economic Area (EEA), exclusively when any of the following conditions are met, in accordance with Articles 44 to 49 of Regulation (EU) 2016/679:

a) Existence of a valid adequacy decision of the European Commission with respect to the receiving country or entity, which guarantees a level of protection comparable to that of the EEA (art. 45 GDPR).

b) Subscription of the Standard Contractual Clauses (SCCs) approved by the European Commission, including the corresponding modules and annexes, as well as additional guarantees where applicable, in accordance with Guidelines 01/2020 of the European Data Protection Board on complementary measures to international transfers.

c) Application of Binding Corporate Rules (BCRs) approved by a competent supervisory authority, in the case of multinational business groups (art. 47 GDPR).

d) Explicit and informed consent of the interested party, in the cases provided for by law and always as a last resort (art. 49.1.a GDPR).

In particular, BRANDLEX GROUP, S.L. maintains operational relations with its associated entity BRANDLEX SpA, incorporated in the Republic of Chile, a country that currently does not have an adequacy decision by the European Commission. Therefore, any flow of personal data to said entity is carried out:

• Under a bilateral agreement signed between the two entities, in accordance with the Standard Contractual Clauses (Implementing Decision (EU) 2021/914, modular version),
• With prior assessment of the risk of the transfer, including analysis of local legislation,
• Implementing strengthened technical and organisational measures, such as data encryption, pseudonymisation and access control, and
• Limiting access to what is strictly necessary depending on the specific assignment or contractual relationship.

In addition, certain technology providers based in the USA or other third countries (e.g. cloud services, CRM, marketing automation) may access personal data, only under the prior subscription of updated SCCs and after verifying that their contractual and operational conditions respect European standards. BRANDLEX GROUP, S.L. maintains a register of international transfers in accordance with the principle of proactive responsibility, at the disposal of the competent supervisory authority.

9. Rights of Data Subjects. Data subjects may exercise, at any time and free of charge, the rights recognised by Regulation (EU) 2016/679 (GDPR), as well as Organic Law 3/2018 (LOPDGDD), in relation to the processing of their personal data. These rights are:

a) Right of access (art. 15 GDPR): Obtain confirmation as to whether or not BRANDLEX GROUP, S.L. is processing your personal data, and access to said data and detailed information on its processing.

b) Right to rectification (art. 16 GDPR): Request the correction of inaccurate or incomplete personal data.

c) Right to erasure (art. 17 GDPR): Request the deletion of data when they are no longer necessary for the purposes for which they were collected, when you have withdrawn your consent or when you object to the processing, among other legally provided cases.

d) Right to restriction of processing (Art. 18 GDPR): Request that the processing of your personal data be restricted in certain circumstances (e.g. while the accuracy of the data or the lawfulness of the processing is verified).

e) Right to data portability (art. 20 GDPR): To receive your personal data in a structured, commonly used and machine-readable format, and to transmit them to another data controller, when the processing is based on consent or a contract and is carried out by automated means.

f) Right to object (art. 21 GDPR): Object to the processing of your personal data on grounds related to your particular situation, when the basis of the processing is the legitimate interest of the controller, including profiling.

g) Right not to be subject to automated individual decisions (art. 22 GDPR): Not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or significantly affect you, except for exceptions provided for by law.

h) Right to withdraw consent: When the processing is based on the consent of the data subject, the data subject may withdraw it at any time, without affecting the lawfulness of the processing carried out previously.

To exercise any of the above rights, the interested party may contact BRANDLEX GROUP, S.L. by written request to the following email address: 📩 info@brand-lex.com

The application must include at least: (i) the applicant’s name and surname, (ii) the right to be exercised, (iii) the data on which the right is exercised, and (iv) a copy of the applicant’s identity document or equivalent identification mechanism.

BRANDLEX GROUP, S.L. will respond to the request within a maximum period of one (1) calendar month, which may be extended to two (2) months in the case of particularly complex requests, in accordance with article 12.3 of the GDPR.

If they consider that their right to data protection has been violated, the interested party may file a complaint with the Spanish Data Protection Agency (AEPD), through its electronic headquarters: www.aepd.es

10. Security and confidentiality measures. BRANDLEX GROUP, S.L. has implemented the necessary technical and organisational measures to guarantee a level of security appropriate to the risk, in compliance with Article 32 of the GDPR, the principle of integrity and confidentiality (Article 5.1.f), and in accordance with the principle of proactive responsibility (Article 5.2).

These measures have been adopted after carrying out a risk analysis, taking into account the nature of the data processed, the category of data subjects, the scale of the processing, the purposes pursued and the potential impacts on the rights and freedoms of natural persons.

Among others, the security measures applied by BRANDLEX GROUP, S.L. include:

• Physical and logical access control to systems and data, through individual credentials, strong authentication and access logging.
• Encryption of personal data, both in transit and at rest, when the nature of the data or medium requires it.
• Intrusion detection and prevention systems, antivirus, firewalls and network segmentation.
• Regular backups and procedures for restoring availability and access to personal data quickly in the event of a physical or technical incident.
• Robust password management policy, with periodic expiration and defined minimum requirements.
• Recording and auditing of activities, including traceability of critical treatments and access to confidential information.
• Internal protocols for reporting and managing security breaches, in accordance with Article 33 of the GDPR, with a documented procedure to notify the supervisory authority within 72 hours and, if applicable, the data subject concerned.
• Continuous training and awareness of staff, including contractual clauses of confidentiality and restricted access according to the principle of least privilege.
• Periodic review and continuous improvement of security measures, in accordance with good practices and international standards.

In addition, BRANDLEX GROUP, S.L. verifies that all its processors and external suppliers with access to personal data comply with equivalent security requirements, through specific contractual clauses and evaluation of its operational practices. All BRANDLEX GROUP, S.L. personnel, including authorised external collaborators, are subject to permanent confidentiality duties, even after the contractual or professional relationship has ended, and have been duly trained in data protection matters.

11. Automated Decisions and Profiling. BRANDLEX GROUP, S.L. does not adopt decisions that produce legal effects on the data subject or that significantly affect them in a similar way, based exclusively on automated processing, including profiling, under the terms established by article 22 of the GDPR.

In the event that, in the future, processing involving automated decisions with significant effects on the rights of the data subject is implemented (e.g. automatic evaluation of behaviour, segmentation with contractual consequences, etc.), the following shall be ensured:

• That there are mechanisms of significant human intervention in the process,
• That the interested party be informed in advance and expressly about the logic applied, the expected consequences and their rights,
• That the data subject has the right to obtain human intervention, to express his or her point of view and to challenge the decision, as provided for in Article 22.3 of the GDPR,
• That the impact of the processing is assessed by means of a Data Protection Impact Assessment (DPIA), if applicable.

Likewise, BRANDLEX GROUP, S.L. may create basic non-automated profiles based on information voluntarily provided by the interested party (for example, sector of interest, browsing history or response to information campaigns), for the sole purpose of personalising content and communications, provided that there is a valid legal basis (consent or documented legitimate interest) and without this implying decisions with legal or legal effects. Discriminatory.

In any case, the interested party may object at any time to the creation of profiles for commercial or analytical purposes, through the channels provided for in this policy.

12. Modifications to the Privacy Policy. This Privacy Policy may be modified or updated at any time by BRANDLEX GROUP, S.L., on the occasion of:

• Legislative or jurisprudential changes that affect the applicable regulatory framework,
• Adaptations to recommendations, resolutions or guidelines of the European Data Protection Board (EDPB) or the Spanish Data Protection Agency (AEPD),
• Introduction of new processing of personal data, new purposes or collection channels,
• Changes in the internal structure, processes or technological tools used in the treatment.

In all cases, BRANDLEX GROUP, S.L. undertakes to:

• Post the updated version on the official website (https://www.brand-lex.com), indicating the date of last update in its header.
• Notify in a clear, accessible and anticipated manner any substantial change that implies a relevant alteration of the purposes, legal bases, rights of the data subjects or recipients of the data. Such notification may be made through electronic channels, information banners or, if applicable, by direct communication to the email provided by the interested party.
• To obtain the explicit consent of the interested party again in cases where the modification involves a substantive change in the processing based on said legal basis.

Users are encouraged to periodically review this Policy to stay informed about how and for what purpose we process their personal data.

13. Final Provisions. This Privacy Policy constitutes the internal regulatory framework adopted by BRANDLEX GROUP, S.L. to ensure full compliance with current legislation on the protection of personal data in the European Union, and reflects the entity’s ethical, legal and operational commitment to the privacy of data subjects.

This Policy complements any other specific notice that may be delivered to the data subject at data collection points (electronic forms, contracts, individualized communications, etc.) and is interpreted in a manner consistent with the principles of the General Data Protection Regulation. In the event of a contradiction between this Policy and any other contractual document signed between the interested party and BRANDLEX GROUP, S.L., the one that is most favourable for the protection of the rights of the interested party shall prevail.

This Policy is subject to Spanish and European law on data protection. For the resolution of any dispute relating to the interpretation, application or validity of this Policy, the parties submit, expressly waiving any other jurisdiction, to the competent Courts and Tribunals of the city of Alicante (Spain), without prejudice to the rights of the interested party as a consumer or resident in another Member State of the European Union.

 

BRANDLEX GROUP, S.L.

Corporate name: BRANDLEX GROUP, S.L.

Tax ID: B75931832

Registered office: Plaza de San Cristóbal, 14, 03002, Alicante, Spain

Website: https://www.brand-lex.com

Contact Email: info@brand-lex.com

Effective Date: July 17, 2025

Version: 2.0